Privacy Policy

Introduction

US & UK Medical Abroad, LLC, doing business as MDabroad ("MDabroad," "we," "us," or "our"), is committed to protecting the privacy and security of your personal information. This Privacy Policy describes how we collect, use, disclose, and safeguard information when you visit our website (mdabroad.com), use our services, or otherwise interact with us.

MDabroad provides international medical assistance, claims management, cost containment, and technology services to insurers, third-party administrators, healthcare providers, and individuals. Given the nature of our services, we may process sensitive health information and are committed to handling such data in compliance with applicable laws, including the Health Insurance Portability and Accountability Act (HIPAA), the General Data Protection Regulation (GDPR), and Brazil's Lei Geral de Proteção de Dados (LGPD).

By accessing our website or using our services, you acknowledge that you have read and understood this Privacy Policy.

Information We Collect

Information You Provide Directly

• Contact Information: Name, email address, phone number, mailing address, job title, and company name when you submit forms, request information, or contact us.
• Account Information: Login credentials if you create an account on our provider portal or other platforms.
• Health Information: Medical records, diagnosis codes, treatment information, and other Protected Health Information (PHI) when we coordinate medical assistance or process claims on behalf of insurers or their members.
• Financial Information: Banking details, payment information, and billing data when processing claims or provider payments.
• Communications: Content of emails, chat messages, phone calls (which may be recorded for quality assurance), and other communications with our team.
• RFP and Business Information: Company details, insurance portfolio information, and requirements submitted through our RFP center.

Information Collected Automatically

• Device Information: IP address, browser type, operating system, device identifiers, and mobile network information.
• Usage Data: Pages visited, time spent on pages, links clicked, and navigation patterns on our website.
• Cookies and Tracking Technologies: We use cookies, pixel tags, and similar technologies to enhance your experience, analyze usage, and deliver targeted content.
• Location Data: General geographic location based on IP address.

Information from Third Parties

• Insurance Partners: Member eligibility data, policy information, and claims history from insurers and TPAs who engage our services.
• Healthcare Providers: Medical records, invoices, and treatment documentation from hospitals and clinics in our network.
• Business Partners: Information from assistance partners, payment processors, and technology vendors who support our operations.

How We Use Your Information

Service Delivery

• Coordinating emergency medical assistance and case management
• Processing and adjudicating insurance claims
• Arranging medical evacuations, repatriations, and transfers
• Facilitating telemedicine consultations and pharmacy services
• Managing provider payments and claims financing
• Verifying insurance benefits and issuing letters of guarantee

Business Operations

• Responding to inquiries and providing customer support
• Processing RFP submissions and business development requests
• Onboarding providers to our network
• Managing contractual relationships with insurers and partners
• Conducting quality assurance and training (including call recording)

Improvement and Analytics

• Analyzing website usage to improve user experience
• Developing new features and services
• Conducting research and statistical analysis
• Measuring the effectiveness of our communications

Legal and Compliance

• Complying with applicable laws, regulations, and legal processes
• Enforcing our terms of service and other agreements
• Protecting the rights, safety, and property of MDabroad, our clients, and others
• Detecting and preventing fraud, abuse, and security incidents

How We Share Your Information

We do not sell your personal information. We may share information in the following circumstances:

With Insurance Partners

We share member health information and claims data with the insurers, TPAs, and assistance companies who have engaged us to provide services on their behalf. This sharing is necessary to fulfill our contractual obligations and is subject to business associate agreements where applicable.

With Healthcare Providers

We share member information with hospitals, clinics, physicians, and other healthcare providers as necessary to coordinate medical care, verify benefits, and process claims.

With Service Providers

We engage third-party vendors who perform services on our behalf, including cloud hosting and data storage providers, payment processing and banking partners, communication platforms, analytics and website optimization tools, and document processing services. These vendors are contractually obligated to protect your information and use it only for the purposes we specify.

For Legal Reasons

We may disclose information when required by law, subpoena, court order, or government request, or when we believe disclosure is necessary to protect our rights, investigate fraud, or ensure the safety of any person.

Data Retention

We retain personal information for as long as necessary to fulfill the purposes described in this Privacy Policy, unless a longer retention period is required or permitted by law. Health information related to claims is typically retained for a minimum of seven (7) years from the date of service, or longer as required by applicable law or contract.

Your Rights and Choices

For All Users

• Access: Request a copy of the personal information we hold about you.
• Correction: Request correction of inaccurate or incomplete information.
• Opt-Out of Marketing: Unsubscribe from promotional emails using the link in any marketing message or by contacting us.
• Cookie Preferences: Manage cookie settings through your browser or our cookie consent tool.

For European Economic Area (EEA) Residents (GDPR)

• Erasure: Request deletion of your personal data, subject to legal retention requirements.
• Restriction: Request that we restrict processing of your data in certain circumstances.
• Portability: Request your data in a structured, machine-readable format.
• Objection: Object to processing based on legitimate interests or for direct marketing.
• Withdraw Consent: Where processing is based on consent, withdraw consent at any time.
• Lodge a Complaint: File a complaint with your local data protection authority.

For Brazilian Residents (LGPD)

You have similar rights under Brazil's LGPD, including access, correction, anonymization, portability, deletion, and information about sharing. You may also revoke consent at any time.

For California Residents (CCPA/CPRA)

You have the right to know what personal information we collect, request deletion, opt out of sales (we do not sell personal information), and not be discriminated against for exercising your rights.

International Data Transfers

MDabroad operates globally, with offices in the United States, Brazil, and Argentina. Your information may be transferred to and processed in countries other than your country of residence, including the United States.

For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) approved by the European Commission, adequacy decisions where applicable, and other lawful transfer mechanisms.

Security

We implement appropriate technical and organizational measures to protect your information against unauthorized access, alteration, disclosure, or destruction. These measures include:

• Encryption of data in transit (TLS) and at rest
• Role-based access controls with audit logging
• Multi-factor authentication for system access
• Regular security assessments and penetration testing
• SIEM (Security Information and Event Management) monitoring
• Employee training on data protection and security
• Physical security at our facilities

Cookies and Tracking Technologies

We use cookies and similar technologies to:

• Essential Cookies: Enable core website functionality (e.g., session management, security).
• Analytics Cookies: Understand how visitors use our website (e.g., Google Analytics).
• Functional Cookies: Remember your preferences and settings.
• Marketing Cookies: Deliver relevant advertisements and measure campaign effectiveness.

You can manage cookie preferences through your browser settings or our cookie consent banner.

Children's Privacy

Our services are not directed to individuals under the age of 18, and we do not knowingly collect personal information from children. If we learn that we have collected information from a child, we will take steps to delete it promptly.

Changes to This Privacy Policy

We may update this Privacy Policy from time to time to reflect changes in our practices, technologies, legal requirements, or other factors. When we make material changes, we will notify you by updating the "Last Updated" date at the top of this policy.

Contact Us

Additional Disclosures

HIPAA Business Associate

When MDabroad processes Protected Health Information on behalf of covered entities (insurers, health plans), we do so as a Business Associate under HIPAA. Our use and disclosure of PHI is governed by Business Associate Agreements with our covered entity clients and applicable HIPAA regulations.

SOC 2 and ISO 27001

MDabroad maintains security certifications including ISO 27001 and undergoes regular third-party audits to validate our security controls.

© 2026 US & UK Medical Abroad, LLC d/b/a MDabroad. All rights reserved.